Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- delimited by comma but not .csv file
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
delimited by comma but not .csv file
I have a jobinfo.log file in my server, it was delimited by comma but not [xxxx.csv] file.
So it can not be added into index just like [.csv].
I don't want to change the extension from [.log] to [.csv],but the extension has to be changed ?
Below is the jobinfo.log file
80925610,00004105,00000000,10660,"20170213140245","20170213140245",1,0,0,"ro,o,t","root"
80925612,00004106,00000000,10660,"20170213140250","20170213140250",1,0,0,"ro,o,t","root"
80925626,00004125,00000000,10660,"20170213140411","20170213140411",1,0,0,"ro,o,t","root"
You can see that the comma also in double quotation, so if the extension is not [.csv] then the result will be below
1,0,0,"ro,o,t","root" -> 1,0,0,ro,o,t,root #the string "ro,o,t" also be delimited by comma
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It doesn't have to be a *.csv file to be able to use the sourcetype definition (event breaking, timestamp recognition etc) of built-in sourcetype csv. When you setup the data monitoring (input.conf), just explicitly assign the sourcetype as "csv".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you so much!
it's worked !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For this source, set up your props.conf with these and it should extract correctly.
FIELD_DELIMITER = ,
FIELD_QUOTE = "
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So are you just trying to bring this data in so that it will be separated into fields like a csv would be?
In that case bring the data in as a sourcetype (preferably unique sourcetype name), open it in search, expand one line, click "Event Actions" and use the field extractor. Choose "delimiters" , choose comma, and name the fields. This will create a transforms and props.conf for this sourcetype.
Or edit the transforms & props.conf files
https://answers.splunk.com/answers/170251/how-to-extract-two-fields-separated-by-delimiter-c.html
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
